Bug 2356228
| Summary: | Failed to resolve allow statement (nfs-ganesha) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kaleb KEITHLEY <kkeithle> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kaleb KEITHLEY
2025-03-31 14:47:37 UTC
Kaleb, Can you check the content of the file on which line it is failing? bunzip2 < /var/lib/selinux/targeted/active/modules/200/ganesha/cil | nl (or if the installation failed) bunzip2 < /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil | nl nfs-ganesha-selinux installs "successfully" but there are no files installed at /var/lib/selinux/targeted/{active,tmp}/modules/200/ganesha.
# sudo dnf install -y nfs-ganesha-7.0-0.1dev.10.el10s.x86_64.rpm nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch.rpm
...
Running transaction
Preparing : 1/1
Running scriptlet: nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch 1/2
Installing : nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch 1/2
Running scriptlet: nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch 1/2
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil:61
Failed to resolve AST
semodule: Failed!
Running scriptlet: nfs-ganesha-7.0-0.1dev.10.el10s.x86_64 2/2
Installing : nfs-ganesha-7.0-0.1dev.10.el10s.x86_64 2/2
Running scriptlet: nfs-ganesha-7.0-0.1dev.10.el10s.x86_64 2/2
Installed:
nfs-ganesha-7.0-0.1dev.10.el10s.x86_64
nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch
Complete!
# ls /var/lib/selinux/targeted/active/modules/200/
container passt passt-repair pasta smartmon
# ls /var/lib/selinux/targeted/tmp/modules/200/
container passt passt-repair pasta smartmon
You can trivially reproduce this on your own c10s box by installing these three packages:
https://cbs.centos.org/kojifiles/packages/libntirpc/7.0/0.2.068ebc76.el10s/x86_64/libntirpc-7.0-0.2.068ebc76.el10s.x86_64.rpm
https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el10s/x86_64/nfs-ganesha-7.0-0.1dev.10.el10s.x86_64.rpm
https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el10s/noarch/nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch.rpm
or for c9s:
https://cbs.centos.org/kojifiles/packages/libntirpc/7.0/0.2.068ebc76.el9s/x86_64/libntirpc-7.0-0.2.068ebc76.el9s.x86_64.rpm
https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el9s/x86_64/nfs-ganesha-7.0-0.1dev.10.el9s.x86_64.rpm
https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el9s/noarch/nfs-ganesha-selinux-7.0-0.1dev.10.el9s.noarch.rpm
I can try to resurrect the f42 packages, but they might have been deleted from koji by now.
Tried the c10s package and checked the module:
60 (typeattributeset cil_gen_require cluster_t)
61 (typeattributeset cil_gen_require ceph_t)
62 (typeattributeset cil_gen_require ceph_log_t)
The type ceph_t is not defined and that's why installing fails.
Such failures could be prevented using optional blocks.
(In reply to Zdenek Pytela from comment #3) > Tried the c10s package and checked the module: > > 60 (typeattributeset cil_gen_require cluster_t) > 61 (typeattributeset cil_gen_require ceph_t) > 62 (typeattributeset cil_gen_require ceph_log_t) > > The type ceph_t is not defined and that's why installing fails. > Such failures could be prevented using optional blocks. I guess you mean something like this in ganesha.te ... optional_policy(` gen_require(` type ceph_t; type ceph_log_t; ') allow ganesha_t ceph_t:unix_stream_socket connectto; allow ganesha_t ceph_log_t:dir { add_name search write }; allow ganesha_t ceph_log_t:file { create open }; ') ... (It sure is hard to find docs on how to do this.) (In reply to Kaleb KEITHLEY from comment #4) > > I guess you mean something like this in ganesha.te > > ... > optional_policy(` > gen_require(` > type ceph_t; > type ceph_log_t; > ') > > allow ganesha_t ceph_t:unix_stream_socket connectto; > allow ganesha_t ceph_log_t:dir { add_name search write }; > allow ganesha_t ceph_log_t:file { create open }; > ') > ... Which installs successfully, even including installing files in /var/lib/selinux/targeted/active/modules/200/ganesha/* and without emitting the error(s) in https://bugzilla.redhat.com/show_bug.cgi?id=2356228#c0. But I'm hesitant to declare victory with my limited knowledge of policy files and inability to find documentation. Kaleb, I am not quite sure if there was a development on the ganesha side and nothing is now needed in selinux-policy? > (It sure is hard to find docs on how to do this.) We have an article which has been updated recently: https://access.redhat.com/articles/6999267 You should rather look for the proper interface from the ceph module. |